Looking at https://github.com/aatxe/irc?tab=readme-ov-file#configuring-irc-clients and https://docs.rs/irc/latest/irc/client/data/config/struct.Config.html#structfield.client_cert_path , it seems this already will support CertFP authentication. That alone should help remove passwords from the log files while also providing authentication during connection.

@brennen Were you opped in #wikimedia-releng when you tried? You probably need to be opped to set this.

IMHO this can be made public.

Apologies, I've not been well the past week so I forgot about this.

I performed a suppression and an unsuppression. These are the entries from the private suppression log:

• 2023-10-30T18:00:43 Stwalkerster talk contribs block secretly changed visibility of a revision on page User:Stwalkerster/sandbox: content unhidden and removed restrictions for administrators (T342487) (diff | more...)
• 2023-10-30T18:00:27 Stwalkerster talk contribs block secretly changed visibility of a revision on page User:Stwalkerster/sandbox: content hidden and applied restrictions to administrators (T342487) (diff | more...)

By 'suppression flag', you mean when the 'Hide username from edits and lists' box is checked when creating a block for a user

if an admin wants to hide a user's name, then their own user info should be hidden in the log as well? Is that what happens in the log? The log goes to the secret log instead of the public log?

@Ottomata Thanks! A good line of thinking is whether or not something is logged in the suppression log ( [[Special:Log/suppress]] ). If it is, it should be treated as private.

https://accounts.wmflabs.org/ is also down

OK, so now what I'm seeing is:

• 0/4 volume snapshot quota usage, which feels suspicious
• 2 volume snapshots, which don't want to delete with a delete snapshot:Snapshot is busy. error (in the messages tab)
• 2 volumes (accounts-oauth-b-database and oauth-www) which I can't delete with You are not allowed to delete volume: accounts-oauth-b-database errors (as a popup)
• and the volume group.

Thanks Andrew!

Looks like I've managed to get accounts-oauth-g-database stuck in detaching mode; would you mind helping that one along?

Hmmm... maybe this has come from a fundamental misunderstanding of how snapshots and volumes work on OpenStack. I had thought that a volume created from a snapshot was then independent of that snapshot, allowing the snapshot to be then removed leaving the volume? (FWIW, this is exactly how EBS volumes and EBS snapshots work on AWS).

The page/revision information affected is publicly visible through page histories, so indeed that should stay.

I've been having... fun... getting ratbox to compile on my Ubuntu focal desktop for testing. I've had to do some changes to includes/memory.h just to get it to compile which I'm not too happy about, along with setting the __NO_INLINE__ define.

I'm hoping to look tonight into whether I have the skills to sensibly patch-out PMs entirely, but I don't want to claim the task until I've got a clearer idea. I'm probably going to take the approach of just making callerid stricter, as the work to disable PMs is pretty much there with callerid.

After a brief look through the code, a quick and dirty fix might be something like this:

I've advised on IRC that it's possible to set /mode <nick> +g to prevent receiving PMs.

@LucasWerkmeister I see two requests in the system from you, neither with a cloak actually requested (as you suspected). I'll decline them both, which should allow you to resubmit the form with a request.

Done by Amanda on -checkuser and -privacy - the channel mode for both channels is now +Sint

@Yonatan.Bendahan Terraform works (mostly) fine, though it's not officially supported.

:facepalm: - of course, I should have read the surrounding comment. My apologies!

Bringing info across from duplicates T309030 and T309031 - this is an API edit request through a redirect.

Yes, I believe so.

I think I've moved our backup system over to a new 1GB Cinder volume. I'm going to let it run for a bit in parallel with the backup to NFS and double-check it's all fine.

We basically only use NFS as storage for database backups now as an off-instance recovery option. I think we shouldn't be using much space, but we should be writing to NFS daily at the moment, rotating around a few files.

This is now fixed on ACC's side too as of 18:46 UTC. Account creations and edits made by the ACC tool should have the correct useragent attached - thanks @Urbanecm and @Majavah! If there's any other instances you spot where we're still not setting a useragent (I'd be surprised, but it's not outside the realm of possibility), please do let me know :)

I've done a little bit of digging on ACC's side, and while I can't give an in-depth analysis just now, I can confirm the following points:

• ACC's OAuth-authenticated API requests (user creation and talk page editing for leaving a welcome message) all go through this method in the ACC code: https://github.com/enwikipedia-acc/waca/blob/009b4766ae527bba2952a8a6d9f2ae84ee700f55/includes/Helpers/OAuthProtocolHelper.php#L87 . I do not see anywhere we're setting the UserAgent here, so this might be the cause of the 0 UA seen in CheckUser
• ACC's non-OAuth-authenticated API requests (title blacklist/antispoof/does-this-account-already-exist queries, probably more that I can't remember) should all go through this class: https://github.com/enwikipedia-acc/waca/blob/009b4766ae527bba2952a8a6d9f2ae84ee700f55/includes/Helpers/HttpHelper.php. This sets the UA in the constructor from config, and thus will be Wikipedia-ACC Tool/0.1 (+https://accounts.wmflabs.org/internal.php/team)
• Our OAuth requests use the MediaWiki OAuth client composer dependency, defined in our composer.json as "mediawiki/oauthclient": "^1.1"
• The mediawiki/oauthclient code doesn't appear to have the capability of defining a useragent, so I'd expect it to use a PHP or cURL default UA: https://github.com/wikimedia/mediawiki-oauthclient-php/blob/33b46d714e7d026bda85993d89275854b7f3abe2/src/Client.php#L281

Flags +Vv were set on wikibugs in #wikipedia-en-ambassadors, though wikibugs isn't actually in that channel so I'm not sure why it's on this list.

You need the +R flag for CLEAR.

It's worth noting that the move to libera.chat (T283247 ) changes the TLS stack and drops support for anything below TLS1.2, whereas freenode supported TLS1.0

In T275664#6866662, @valhallasw wrote:

I'm not 100% sure what happens in case authentication fails, but presumably the entire connection then fails.

This appears to be much more than a one-off incident: https://en.wikipedia.org/wiki/Special:RecentChanges?hidebots=1&hidecategorization=1&hideWikibase=1&tagfilter=OAuth+CID%3A+1804&limit=500&days=7&damaging__likelybad_color=c4&damaging__verylikelybad_color=c5&tagfilter__OAuth+CID%3A+1804_color=c1&urlversion=2

I'll just note for the record that .NET Core 3.0 is now out of support - 3.1 is the most up-to-date version.

It would be useful to get accounts-dev.wmflabs.org whitelisted too, so we don't have to test stuff on the "prod" tool. I'm not too fussed if that's not possible though.

Apologies, I forgot to update this task - all Jessie instances have already been shut down and deleted.

I've just had to roll back from the Buster instance to the Jessie instance after reports of data corruption. Thankfully, I'd left the old instance running so a simple proxy redirection is all that was needed to switch back.

I've tried to migrate most stuff over to a new instance, but I've still got everything pointing at the old instance while I test that everything hasn't broken horribly. At the moment, I've done a lift-and-shift of the PHP5 code in the vague hope nothing breaks, but obviously that's not the best approach.

Pushed, tagged, and deployed to both prod and sandbox environments.

Oof, this was a silly one.

Will look at this when I get home from work.

-db3 is trivial, as it's shut down already and is hanging around simply because I've not checked everything was moved away from it, which I really should do soon. -mwoauth has historically been a pain every time I've had to deal with it, but realistically shouldn't be an issue either.

Assuming that's the case, can @Timeshifter (or anyone else) provide a link to some on-wiki consensus for this change?

This is getting a little off-topic here.

In T37947#2449718, @FastLizard4 wrote:

Bumping this task.

In T143349#2962892, @chasemp wrote:

account-creation-assistance accounts-db2

Any plans to upgrade this instance?

account-creation-assistance also currently has (and continues to need - T61662 ) access to the XFF data from the web proxy.